Companies can take steps to fix flaws without patches

In a new report, eEye found that upgrading to the latest major release versions of Microsoft software would have mitigated close to 50% of all Microsoft vulnerabilities identified in 2010.

“If you had been running Windows 7 on your workstation, versus Windows Vista or XP, in 2010, you would have protected around 49% of all Microsoft vulnerabilities that year, which is a pretty staggering number when you look at how much time you can get back from an IT perspective”, Maiffret told Infosecurity.

The report also found that having a properly configured proxy server would have prevented information from being stolen by the Aurora virus, because it was not proxy aware.

“If you were to set up your environment to restrict all outbound network traffic except for web-based traffic, which you forced to go through an authenticated web proxy…you still might be compromised, but the way the malware tries to communicate back to the control server is in a lot of cases not proxy aware, so it not going to be able to communicate out of your environment”, Maiffret observed.

In addition, the report found that Windows 7 used in conjunction with access control lists could have prevented a worm such as Stuxnet from spreading once it was inside a system.

“Just by having proper file provisions on locking down the different folders of Windows, in this case the task scheduler drops folder, by restricting it so only administrators can create new jobs, you would essential mitigate…one of the vulnerabilities attacked by Stuxnet”, Maiffret said.

In addition, disabling WebDAV, WebClient Services, and MS Office Converters would have prevented 12% of all vulnerabilities patched by MS in 2010 from being exploited, the report found.

“WebDAV is being used as a way for attackers to be able to attack different vulnerabilities within your every day client application software”, Maiffret said, adding that organizations should assess where WebDAV is needed and disable it in places where it is not needed.

“So much of our focus in security revolves around the latest threat of the moment, whatever folks are worried about, such as the high profile attacks of Aurora or Stuxnet. While those things are going to be interesting to cover, there seems to be a void in getting out specific examples that folks working in IT can do to better protect their systems….That is the purpose of this research”, Maiffret concluded.